Privatebin over plain HTTP, missing WebAssembly MIME-Types or missing SELinux write permissions not working

[cloudscape-germany]

Describe the problem/question

Could this be an issue? I see zlib library being loaded in Browser, but I still get the infamous message:

Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.

I searched that string project-wide and could not find it.

Did you use the FAQ section?

• Yes, I have read the FAQ and I found no solution/answer there.

What you did?

1. Clone our fork on a VM
2. Use SSH tunnel to proxy localhost to the VM
3. Call in Browser, getting the WebAssembly not supported message

What happens

Infobox with non-supported WebAssembly

What should happen

Privatebin should load as usual

Additional information

No response

Server address

No response

Server OS

RHEL

Webserver

Nginx with PHP-FPM

PrivateBin version

2.0.3

Browser and version

Firefox

Local operating system and version

Win11

Issue reproducibility

No, I cannot reproduce it on https://privatebin.net.

[elrido]

Check the browsers network tab in the developer utilities ([F12]) what gets blocked. More likely is that your webserver isn't delivering the WASM file with the correct mime type. The other issue that may arise in such scenarios is that your connection is not considered "secure" by the browser, if it's http-only and not using a localhost host name or an IP on a local loopback interface and therefore the webcrypt API gets disabled.

[cloudscape-germany]

Measures we took to get it to work:

1. Enforced/Enabled SSL
2. Added wasm application mime types to /etc/nginx/mime.types and /etc/mime.types
3. Added Compression headers for Wasm

location ~ \.wasm\.gz$ {
    add_header Content-Encoding gzip;
    types {
        application/wasm wasm.gz;
    }
}

I'm curious if above wasm location block is really needed, we took it from the Unity WebGL documentation.

There is still one error remaining although filling out the Text Inputfield: "Document could not be created, For creation you need to fill at least "Text" or "Attach File"..

[elrido]

You can add the gzip compression, but the file ending would not change due to this. I would not recommend to use the above block and it should not have an impact on the .wasm file served by PrivateBin.

You don't have to add that header manually. Nginx can simply be configured with gzip compression transparently enabled (if the client signals support for it in their request headers) and be told a list of mime types to compress (pointless to compress images or video). Have a look at this example from our PrivateBin nginx container image:
https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/etc/nginx/http.d/compression.conf

Note that nginx will use a cache for such compressed files, unless you disabled that or give it only limited disk space. So it won't have to recompress the same content over and over again. See also the other files we use to tweak file cache settings: https://github.com/PrivateBin/docker-nginx-fpm-alpine/blob/master/etc/nginx/http.d/cache-file-descriptors.conf

[cloudscape-germany]

Seeing this is nginx.error logs:

2026/03/06 15:42:19 [error] 20322#20322: *11 FastCGI sent in stderr: "PHP message: failed to store the server salt, delete tokens, traffic limiter and user icons won't workPHP message: failed to store the traffic limiter, it probably contains outdated informationPHP message: failed to store the purge limiter, skipping purge cycle to avoid getting stuck in a purge loopPHP message: PHP Warning: mkdir(): Permission denied in /var/www/privatebin/lib/Data/Filesystem.php on line 94" while reading response header from upstream, client: ::1, server: mydomain.com, request: "POST / HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/www.sock:", host: "localhost:8081"

[elrido]

Well this sounds like your usual permission error. Make sure your php-fpm process user (which can well be different from the nginx user) has permissions to write into your data directory. You'll find plenty of more detailed descriptions on what to do in the project when you search for that "failed to store" message.

[cloudscape-germany]

Solution: Fix SELinux Permissions

Change context — Set the SELinux security context on files/directories

chcon -Rv -t httpd_sys_rw_content_t /var/www/privatebin

Breaking down the flags:
-R = Recursive
-t = Type of SELinux context

SELinux contexts have four parts (user:role:type:level), and type is the one that matters most for access control. httpd_sys_rw_content_t specifically tells SELinux that web server processes are allowed to read and write this content.

The common httpd types:

httpd_sys_content_t — web server can read only
httpd_sys_rw_content_t — web server can read and write
httpd_sys_script_exec_t — web server can execute these as scripts

Verify permissions

ls -Zd /var/www/privatebin

Make changes permanent

chcon changes are not persistent across a full filesystem relabel, i.e. if someone runs restorecon -R / or touches /.autorelabel. For a permanent fix use semanage fcontext and restorecon:

semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/privatebin(/.*)?"
restorecon -R /var/www/privatebin

[elrido]

Thank you for sharing. A kind community member had contributed a wiki page on installing PrivateBin on RHEL and clones, it, too, mentions the selinux labels necessary on the data and webserver tmp directories. It would be helpful to other RHEL-(clone)-users, if you could review and update it, if necessary.

[elrido]

It's not used by PrivateBin, AFAIK. Maybe they set up their PHP session cache to use that directory? The only writeable location for us should be that data directory, unless you use a database or cloud storage (S3, GCP), in which case there do not need to be any writeable directories.

[cloudscape-germany]

That page is mixing Apache config with afaik an out-of-support CentOS with SELinux. I added above findings, but that page could be in need of more maintenance. You could mark above reply as answer and close the issue.